Doing Away with Trust


Jamie Lewis has responded to posts about identity context and trust from myself, Kim Cameron, and Luke Razzell with a post on trust and what it means with respect to digital identity. As Jamie says, "the term 'trust' ... carries an enormous amount of baggage."

Jamie goes on to say that when we speak of trust in the context of digital identity, what we're really talking about is surety and risk management. Thus to gain trust in another entity is the process of gathering evidence that can be used to establish the level of risk for any particular transaction.

My previous example about using your passport in coffee shop to prove to the clerk that you are the same person named on the credit card that you present for payment can be further explored in this light. Let's see if I can explain the process without using the word "trust."

The clerk asks to see a form of ID (a credential) along with the credit card to reduce the risk of fraud. The clerk expects that you will produce a credential that is easily authenticated. Moreover, the clerk will evaluate the level of risk based upon his perception of the level of care the issuing organization has taken to vet the person in the credential, the organization's familiarity, and how difficult the credential is to fake.

The clerk is gathering evidence, even though he might not think of it that way, and evaluating the evidence in an effort to reduce the risk and gain surety that the transaction will be honored. In business, transactions frequently happen in the context of overarching agreements and understandings. Jamie characterizes these as a set of building blocks that include things like business relationship, legal contracts, key management, asserions, shared policies, technical assurance, and audits and accredidation.

Much of the most interesting work in digital identity is focused allowing more of these building blocks to come into play in short-term relationships. You can think of that as eliminating the need for trust, if you like. Credit cards did this same sort of thing in the 70's. Before credit cards, credit was part of a long-term relationship that had many of Jamie's building blocks, or close analogies. What credit cards did, was move those building blocks from a point-to-point relationship between the creditor and borrower and into a networked relationship where the business relationship, legal contracts, policlies, tokens, and technology were maintained at the infrastructure level.

Many have doubts that this sort of thing can happen in the identity world because risk and financial reward are not as easily offset as they are in the case of credit cards. I'm optimistic that we'll find a solution, because the rewards for doing so are significant. So far, the solutions I've seen do a nice job of solving the technical problems, but it remains to be seen whether or not identity providers will spring up who enjoy the same reputation as do the Federal and state governments. I believe that for reasons of risk management alone, government may need to become identity providers in the online world in the same way they've become de facto identity providers in the physical world.